Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/04/22 11:21]
tomiskar 		devel:documentation:security:dev:authorization [2020/04/23 09:52]
tomiskar [Default settings of permissions for an identity profile]
Line 395: Line 395:
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator      * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator 
     * Scheduler (IdmLongRunningTask) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Scheduler (IdmLongRunningTask) | Displaying in autocomplete, selections | BasePermissionEvaluator
 +    * Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator
 +    * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | CodeListItemByCodeListEvaluator or CodeListItemByCodeEvaluator
   * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.   * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
Line 460: Line 462:
 ==== Settings of permissions of identity basic attributes ==== ==== Settings of permissions of identity basic attributes ====
  
-If we want to enable for currently logged identity update all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows: +If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows: 
-  * Permission to update identity: Users (IdmIdentity) | Update, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator+  * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator
  
-<note tip>Can be combined with subordinates evaluation to enable update attributes for managers only.</note>+<note tip>Can be combined with [[#manager_and_subordinates|subordinates evaluator]] to enable update attributes for managers only. When identity is created, then **CREATE** permission is needed only - additional permissions are evaluated for **UPDATE** identity only.</note> 
 + 
 +<note important>This configuration is **required from version 10.3.0** for update basic identity attributes.</note>
  
 ==== Settings of permissions of identity form (extended) attribute values ==== ==== Settings of permissions of identity form (extended) attribute values ====
  • by koulaj